{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/online-voting-system-1.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-14649"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Online Voting System 1.0"],"_cs_severities":["high"],"_cs_tags":["sql-injection","web-application","cve","initial-access"],"_cs_type":"advisory","_cs_vendors":["code-projects"],"content_html":"\u003cp\u003eA critical SQL injection vulnerability (CVE-2026-14649) has been identified in version 1.0 of the code-projects Online Voting System. This flaw, residing in the \u003ccode\u003etest_input\u003c/code\u003e function within the \u003ccode\u003e/saveVote.php\u003c/code\u003e file, allows an unauthenticated, remote attacker to execute arbitrary SQL commands on the backend database. Attackers can exploit this by manipulating specific parameters such as \u003ccode\u003evoterName\u003c/code\u003e, \u003ccode\u003evoterEmail\u003c/code\u003e, \u003ccode\u003evoterID\u003c/code\u003e, or \u003ccode\u003eselectedCandidate\u003c/code\u003e in HTTP POST requests. The vulnerability poses a significant risk as it can lead to unauthorized data access, modification, or potential full compromise of the voting system's integrity, impacting election results and voter privacy. Defenders need to prioritize patching and monitoring for malicious web requests targeting this endpoint.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker scans for internet-facing instances of \u003ccode\u003ecode-projects Online Voting System 1.0\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker identifies the \u003ccode\u003e/saveVote.php\u003c/code\u003e endpoint as a potential target for user input manipulation.\u003c/li\u003e\n\u003cli\u003eAttacker crafts an HTTP POST request containing malicious SQL characters (e.g., \u003ccode\u003e' OR 1=1 -- -\u003c/code\u003e) within the \u003ccode\u003evoterName\u003c/code\u003e, \u003ccode\u003evoterEmail\u003c/code\u003e, \u003ccode\u003evoterID\u003c/code\u003e, or \u003ccode\u003eselectedCandidate\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003etest_input\u003c/code\u003e function in \u003ccode\u003e/saveVote.php\u003c/code\u003e processes the unsanitized input received from the HTTP request.\u003c/li\u003e\n\u003cli\u003eThe malicious input is concatenated directly into a database query, leading to arbitrary SQL command execution on the backend.\u003c/li\u003e\n\u003cli\u003eThe database executes the attacker's embedded SQL, which could be designed for data exfiltration (e.g., \u003ccode\u003eUNION SELECT password_hash FROM users\u003c/code\u003e), data modification, or privilege escalation.\u003c/li\u003e\n\u003cli\u003eThe application returns an HTTP response containing results of the executed SQL query or an altered application state, confirming successful exploitation.\u003c/li\u003e\n\u003cli\u003eAttacker analyzes the response to extract sensitive data or confirm unauthorized changes to the voting system's records.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-14649 allows an unauthenticated attacker to execute arbitrary SQL commands on the backend database. This can lead to severe consequences including unauthorized access to sensitive voter data, manipulation of voting records, or even complete compromise of the database. Such a breach could undermine the integrity of election results, expose personally identifiable information of voters, and cause significant reputational damage to the organization. While no specific victim count or sectors are mentioned, any organization using the affected Online Voting System 1.0 is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch \u003ccode\u003ecode-projects Online Voting System 1.0\u003c/code\u003e to a version that addresses CVE-2026-14649. If no patch is available, consider implementing a web application firewall (WAF) with SQL injection detection rules.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detects CVE-2026-14649 Exploitation — SQL Injection in Online Voting System\u0026quot; to your SIEM for real-time detection of exploitation attempts.\u003c/li\u003e\n\u003cli\u003eEnable comprehensive web server logging and review logs for suspicious HTTP POST requests to \u003ccode\u003e/saveVote.php\u003c/code\u003e containing SQL injection payloads.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-04T20:21:26Z","date_published":"2026-07-04T20:21:26Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14649-sql-injection/","summary":"A remote SQL injection vulnerability (CVE-2026-14649) exists in code-projects Online Voting System version 1.0, located in the 'test_input' function within the '/saveVote.php' file, allowing an unauthenticated attacker to execute arbitrary SQL queries by manipulating 'voterName', 'voterEmail', 'voterID', or 'selectedCandidate' arguments.","title":"CVE-2026-14649: Remote SQL Injection in code-projects Online Voting System","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14649-sql-injection/"}],"language":"en","title":"CraftedSignal Threat Feed - Online Voting System 1.0","version":"https://jsonfeed.org/version/1.1"}